gaurav gupta
2011-Feb-10 11:07 UTC
Behaviour of OpenSSH while login as root and non-root account
Hello Friends, I am writing a PAM module for SSH to enforce one more layer of authentication. For that I need terminal ID in close_session() and pam_sm_setcred() function in PAM module while OpenSSH hardcoded it "ssh". I made few changes in OpenSSh code so it can set terminal ID properly. These changes were : added do_pam_set_tty() in session_pty_req(Session *s) function in session.c and added do_pam_set_tty() in mm_pty_allocate() function in monitor_wrap.c It works fine for root and I get appropriate tty in pam_sm_cred() and pam_sm_close_session() function. But using same code, when I try to ssh through a non root account I am getting tty in pam_sm_close_session() but not in pam_sm_cred(). I am not sure why ssh is behaving differently for root and non-root accounts. Is there anything which triggers SSH behavior for root and non-root accounts or can anyone suggest me what can be wrong here. I have no idea how can I proceed and it would be great if someone can give me some pointers. -- Thanks & Regards, Gaurav Gupta
Damien Miller
2011-Feb-11 02:02 UTC
Behaviour of OpenSSH while login as root and non-root account
On Thu, 10 Feb 2011, gaurav gupta wrote:> Hello Friends, > > I am writing a PAM module for SSH to enforce one more layer of > authentication. For that I need terminal ID in close_session() and > pam_sm_setcred() function in PAM module while OpenSSH hardcoded it "ssh". I > made few changes in OpenSSh code so it can set terminal ID properly. These > changes were : > > added do_pam_set_tty() in session_pty_req(Session *s) function in session.c > and added do_pam_set_tty() in mm_pty_allocate() function in monitor_wrap.c > > It works fine for root and I get appropriate tty in pam_sm_cred() and > pam_sm_close_session() function. > > But using same code, when I try to ssh through a non root account I am > getting tty in pam_sm_close_session() but not in pam_sm_cred(). I am not > sure why ssh is behaving differently for root and non-root accounts. > > Is there anything which triggers SSH behavior for root and non-root accounts > or can anyone suggest me what can be wrong here. I have no idea how can I > proceed and it would be great if someone can give me some pointers.Yes, post-auth privilege separation is skipped for root users. See Niels' paper for more details: http://www.citi.umich.edu/u/provos/papers/privsep.pdf